Click fraud in the media: Most shocking cases of advertising fraud
Controversies and incidents
Forbes MFA subdomain - 2024
In 2024, a report from Adalytics, a log file analysis business for media buyers, found that Forbes were repurposing articles into listicles and slideshows and running them on the subdomain www3.forbes.com.
Forbes appeared to be driving traffic to this MFA (Made For Ads) version using clickbait-laden ads placed on content recommendation services such as Outbrain and Taboola.
Although this subdomain was considerably lower quality than the main Forbes site, media buyers were thought to be placing ads on the subdomain under the false impression they were advertising on Forbes.com.
Whereas regular Forbes articles acquired traffic from organic links and regular readers, and contained around 5-10 ads per article, articles on the subdomain had up to 200 ads. The subdomain was excluded from indexing by search engine crawlers, and if users tried to access the subdomain directly they’d be diverted to the main Forbes website.
Some buyers reported that around a third of their ad impressions appeared to be coming from the subdomain during the period that it was live.
Google Video Partners program quality - 2023
Google's Video Partners program promises to display video ads on third-party websites that meet specific standards.
But analysis by Adalytics in 2023, as reported by The Wall Street Journal, revealed that Google had fallen short of this commitment in up to 80% of cases.
Adalytics reviewed ad placements for 1,100 brands between 2020 and 2023, discovering that Google often placed ads on low-quality, clickbait, or even pirated content sites, contrary to the program's guidelines.
Additionally, the report stated that ads were frequently shown in small, muted boxes rather than in prominent positions with sound, as promised.
Websites found to be running muted video ads included the New York Times, Reuters, Wired, Mashable and Gizmodo.
Google denied all the allegations in the report.
Botnets and ad fraud gangs
Methbot network - 2015 to 2016
Methbot was a major botnet and ad fraud operation first tracked by HUMAN Security (then White Ops) in 2015, and eventually shut down a few years later after ramping up in 2016. The name Methbot comes from the numerous mentions of meth in the bot’s source code.
Aleksandr Zhukov, the Russian national behind the operation, referred to himself as the “King of Fraud”. He ran a seemingly legitimate business called Media Methane, which was in reality a front for Methbot. He was convicted in a jury trial in the U.S. for related charges and sentenced to 10 years in prison in 2021.
The scam was sophisticated. Whereas many botnets use hijacked (virus infected) home computers and mobile phones to spam servers with HTTP requests from genuine residential IP addresses, Methbot originated its traffic from between 800 and 1,200 physical servers in datacenters in the US and Amsterdam.
Datacenter traffic is normally simple to identify, but the gang behind Methbot registered 571,904 residential IP addresses with fake registration details. This made them appear to be genuine residential addresses from major US ISPs such as Verizon or AT&T.
The gang then used over 6,000 domain names hosting over 250,000 distinct URLs, to create fake video player pages appearing to belong to premium publishers.
Servers proxying through the 571,904 IP addresses then generated clicks to these fake video pages using headless browsers, “watching” video ads, and also simulating real user behavior such as pausing video plays mid-way, and clicking on the ads.
The headless browsers used in Methbot’s network were setup to appear as natural as possible, even adhering to working hours (i.e. sleeping when a human user would be). The browsers were programmed to mirror real human controlled browsers, including appearing to be logged into Facebook, and seemingly having different browser extensions installed.
Through this vast network, Methbot was thought to have watched up to 300 million video ads every day, allowing the gang to steal between $3 to $5 million per day from US advertisers.
The network was dismantled through the combined efforts of the FBI, Google, and several cybersecurity firms. The botnet had defrauded advertisers out of at least $7 million over its years of operation.
3ve botnet - 2013 to 2018
Pronounced as “eve”, 3ve was an ad fraud botnet that was known to operate between 2013 and 2018.
Sergey Ovsyannikov and Yevgeniy Timchenko, both citizens of the Republic of Kazakhstan who ran the network alongside other collaborators, were arrested in 2018 and pleaded guilty in 2019. Aleksandr Zhukov, the Russian citizen behind the Methbot operation (see above), was charged in the same 2018 indictment. Methbot and 3ve are considered to be closely linked.
The 3ve scheme was largely a traditional botnet, in that it relied on infected home and office computers to generate fake clicks on fake webpages containing real ads. Devices were infected with malware inadvertently downloaded through spoof emails and fake downloads.
In contrast to Methbot, the traffic was inherently genuine to the outside world, since traffic originated from genuine residential or business addresses and was made through real browsers. The software still had to mimic human browsing behavior, however.
The 3ve botnet was thought to have controlled more than 1 million IP addresses, and 1.7 million PCs. Around $30 million is estimated to have been stolen.
Vastflux
Vastflux was first detected by HUMAN Security researcher Vikas Parthasarathy in the summer of 2022.
The attack impacted 11 million phones, with the attackers spoofing 1,700 apps and targeting 120 publishers. At its peak, the attackers were making 12 billion requests for ads per day.
It was a sophisticated fraud that in summary involved stacking up to 25 video ads in the same video ad slot, within legitimate ad spots in real apps, used by genuine users. However, since only the topmost ad was actually viewable, the other 24 or so ads were sold without a human ever being able to see them. Since the gang behind Vastflux rented the ad spot but collected the ad revenue from each ad, they received the proceeds from billions of fake ad views every day.
Several techniques were developed to avoid detection. For example, each ad impression served was spoofed to look like it came from one of 1,700 genuine apps, so ads appeared to be being played across a mix of apps.
The name Vastflux is a play on words, a combination of “fast flux” (rapidly swapping out the IP addresses associated with a domain, so that malicious domains used for criminal activity are harder to block), and VAST (a video advertising order system developed by the Interactive Advertising Bureau).
HUMAN Security worked with its partners to tackle the fraud. In December 2022, after successful interventions to reduce the scale of the fraud, the servers used for Vastflux were suddenly switched off. HUMAN Security believe they know who was behind the attack but are keeping the details secret to avoid compromising future criminal investigations.
Other notable botnets
There have been many ad fraud botnets discovered in recent times, largely since 2005. Here are some of the most notable.
PEACHPIT & BADBOX (2023)
Two connected ad fraud operations that involved selling unbranded mobile and connected TV hardware pre-loaded with malware through online retailers and resale sites. BADBOX was the operation selling the hardware, and when powered on, one of the modules activated was an ad fraud package named PEACHPIT.
PARETO (2021)
This botnet was able to evade detection by masquerading as millions of people watching ads on smart TVs and other devices. It relied on a network of android apps using a proprietary SDK that spoofed connected TV devices at a very large scale.
HyphBot (2017)
A botnet and programmatic advertising spoofing scam that some believe was much bigger in scale than even Methbot. HyphBot was generating up to 1.5 billion requests per day and it generated fake traffic on more than 34,000 different domains, including premium publishers.
Stantinko (2012 - present)
This botnet initially used Chrome extensions to inject ads into web pages, but later shifted away from ad fraud and into crypto mining.
Chameleon (2012)
One of the first botnets programmed to mimic user behavior for interacting with display ads.
DNS Changer (2007 - 2011)
One of the earliest large ad fraud botnets. It infected browsers and redirected traffic to MFA (Made For Ads) sites controlled by its creators.
Click fraud related legal cases
Phunware Inc. v. Uber Technologies, Inc.
Uber indirectly hired Phunware in 2016, along with other third-party ad networks, to help Uber increase installations among consumers of its mobile app.
Initially it was Phunware who sued Uber for breach of contract in 2017. Uber then filed a cross-complaint the same year.
Then in 2019, the case escalated. Uber filed an amended cross-complaint for fraud, fraudulent concealment, negligence, and unfair competition. Uber alleged that Phunware used a practice known as “click flooding” to inflate the number of installs of its app generated by Phunware and its partners.
Click flooding is the practice of forcing clicks in the hope of falsely attributing an organic install to a paid source. Much of the ad traffic Phunware brought for Uber also came through auto-redirects, which automatically took visitors to an app store, whether the user clicked on the ad or not.
The case was settled in October 2020 with Phunware agreeing to pay $6 million to Uber.
Google Inc. v. Auctions Expert LLC
In the 2004 case of Google, Inc. v. Auctions Expert LLC, Google filed a lawsuit against Auctions Expert, a participant in its AdSense program, for engaging in click fraud. Google alleged that Auctions Expert generated revenue by fraudulently clicking on pay-per-click (PPC) ads displayed on its own site, which violated the AdSense agreement prohibiting any artificial or fraudulent click generation, including manual and automated clicks.
The fraudulent activity led to Google issuing refunds to advertisers for the invalid clicks generated through Auctions Expert's website. Google argued that this behavior breached the contractual terms between the two parties.
Ultimately, the court ruled in favor of Google, awarding it a judgment of $75,000 against Auctions Expert for the damages incurred due to the click fraud.
Advanced Internet Technologies, Inc. v. Google, Inc.
A US legal case brought on June 24, 2005 by Advanced Internet Technologies and Google, where AIT asserts that Google breached its AdWords (now Google Ads) agreement by knowingly charging advertisers for fraudulent clicks.
The complaint states: “Google does not take the measures that are necessary to prevent advertisers from being charged for invalid clicks because, were Google to fully screen out invalid clicks, the pervasiveness of invalid clicks in AdWords would become obvious and this would call Google’s entire business model into question.”
The case was settled out of court, without Google needing to provide any defense or reveal any of the inner-workings of the fraud protection behind behind the Google Ads system.